Corporate Account Takeover (CATO)
What it is
Corporate account takeover is a form of financial fraud where cyber criminals gain access to business online banking accounts and initiate unauthorized fund transfers (e.g., ACH, check, wire transfers) to accounts that are under the cyber criminal’s control. These funds are often then transferred overseas and out of U.S. jurisdiction. The FBI estimates that corporate account takeover attacks have cost American companies hundreds of millions of dollars.
Corporate account takeover attempts were first reported in 2006 and originally targeted large corporations, but the focus has been redirected toward small and mid-sized businesses, municipalities, and nonprofit organizations. Unlike larger corporations, these smaller companies are perceived to lack the resources needed to prevent and detect a security breach, making them a more attractive target to the cyber criminals.
The Five Common Steps to Corporate Account Takeover
How it works
Cyber criminals will phish for victims using social engineering techniques in an attempt to lure unsuspecting users into installing malware. These techniques include:
- Email spoofing* and link manipulation*methods that are used to disguise illicit emails and website links to appear to be from legitimate sources. These methods are used to trick employees into clicking on the malicious link by:
- Making the email appear to come from a friend or coworker
- Targeting specific businesses or groups using spear phishing* and whaling*
- Sending mass emails to corporate employees disguised to appear to be from the business’s financial institution, vendor, or other corporate entity
- Hiding malware in attachments such as pictures, documents, and videos
- Enticing visitors on legitimate websites (particularly social networking sites), to click on malicious pop-up messages and phony friend requests.
The cyber criminals use these techniques to trick the corporate employees into entering nonpublic information (e.g., online banking credentials) and into clicking on the malicious link or attachment. In successful phishing attempts, where the user has clicked on the infected link or opened the infected attachment and the malware has been downloaded to the employee’s computer, the malware will:
- Allow the cyber criminal to track the employee’s activities on the Internet and on the business’s internal network.
- Run unnoticed in the background waiting for the employee to log into the business’s online banking account.
- Capture the online banking credentials (once the employee logs into the business’s online banking account) and transmit the information to the cyber criminal.
The cyber criminals will then use the credentials to log into the online banking account to alter or create unauthorized external fund transfers from the business’s account to an account they control. Money mules* are often used to open the domestic accounts where the money is first sent and to then transfer the funds overseas to the cyber criminals. The money mules are sometimes recruited by false work-at-home schemes and even though they often retain a commission for their part, they may not always be aware of the perpetrated fraud.
Other techniques used by cyber criminals include:
- Launching a Man in the Middle or Man in the Browser* attack where the cyber criminal inserts themselves between the user and the online banking site in an effort to intercept the online banking credentials, alter transactions, and add unauthorized transactions to be transferred to an account controlled by the cyber criminals. During the attack, the cyber criminal intercepts all communication between the user’s browser and the online banking site and modifies what the user sees so the attack will go unnoticed. They may insert a fake page saying the online site is unavailable or make it appear that the site is working, but alter the payment information behind the scenes.
- Attempting to exploit the business’s check archiving system to issue counterfeit checks.
- Using the malware to access sensitive and proprietary information.
In addition to financial losses, corporate account takeover can result in reputational damages and other indirect losses to the business and financial institution.
Why you need to know
Thousands of businesses have already fallen victim to these attacks and it is costing financial institutions and businesses millions of dollars. It is vital that both financial institutions and businesses do everything they can to mitigate, identify, and respond to corporate account takeover.
back to top